Documentation

SCIM Configuration

This document describes how to configure SAML SSO and SCIM (System for Cross-domain Identity Management) provisioning (managed by Okta) for the Censys Platform. SCIM allows you to automatically provision and deprovision users in Censys based on assignments in your identity provider (IdP).

Prerequisites

Before beginning the integration, ensure you have the following:

  • Administrative privileges in your Okta organization.
  • An Censys enterprise-level plan with organization-level administrative access.
  • Access to your authoritative DNS provider to add TXT records for domain verification.

Supported Features

The Censys integration with Okta supports the following capabilities:

  • SAML 2.0 Authentication: Supports both Identity Provider (IdP) initiated and Service Provider (SP) initiated SSO flows.
  • Just-in-Time (JIT) Provisioning: A user who is assigned to the Censys application and signs in through SAML SSO before SCIM has pushed them is automatically provisioned in Censys at login. SAML SSO works whether or not SCIM provisioning is enabled.
  • User Provisioning (SCIM):
    • Push Users: Automatically create users in Censys when assigned in Okta.
    • Update User: Synchronize attribute changes to user profiles (e.g., name, status) from Okta to Censys.
    • Deactivate Users: Automatically deactivate or remove user access in Censys when they are unassigned or deactivated in Okta.
    • Import Users: Import existing Censys users into Okta to confirm their provisioning state and match them to Okta profiles. Only active, SCIM-managed users are returned; users that have been deactivated or unassigned are intentionally excluded.

Configuration Steps: SAML Setup

1. Configure SAML in the Censys Platform

  1. Log in to the Censys Platform and navigate to Account Management > Organization Settings > Security > Single Sign-On.
  2. Click the Set up SAML button.

  1. Copy the SAML ID from the bottom of the Edit/Configure SAML page. This ID will be used in the Okta application configuration.

  2. Keep this page open to complete the configuration later.

2. Add the Censys App from the Okta Catalog

  1. Log in to your Okta Admin Console.

  2. Navigate to Applications > Applications > Browse App Catalog.

  3. Search for "Censys" and select Add Integration.

  4. In General Settings, enter a label (e.g., "Censys"). Then, scroll to the SAML ID field and paste the SAML ID copied from the Censys platform. Click Done.

  5. In Sign On, copy the Metadata URL for the Okta app.

3. Finalize SAML Configuration in Censys

  1. Return to the Censys SAML configuration page.

  2. Under Identity Provider Information > Use Metadata URL to populate IdP fields, paste the copied Okta Metadata URL into the Metadata URL field.

  3. Click Populate.

  4. If you want to allow IdP initiated logins make sure Allow IdP Initiated Login Endpoint is enabled.

  5. Click the Save Configuration button at the top of the page.

4. Verify Domain(s)

  1. Click on the + Add Domain button.

  2. Enter the domain name and click the input button.

  3. Copy the text starting with censys-domain-verification= and create a TXT record in your DNS provider. Each domain needs to be verified with its unique TXT record. Reach out to your Censys customer representative if you are unable to use TXT records for domain verification.

  4. Click the verify button to verify control of the domain.

5. Generate SCIM Bearer Token in Censys

  1. Navigate to Account Management > Organization Settings > Security > Single Sign-On > SAML Configuration > SCIM Provisioning and click the "Set up SCIM" button.

  1. In the sidebar that appears, under "SCIM Bearer Token" click the "Generate Token" button.

  2. Copy the token and securely retain it, noting that tokens are only provided upon creation and cannot be recovered but can be regenerated (invalidating the existing token).

  3. Click the "Enable now" button to enable the SCIM API for the SAML configuration.

    📘

    Note: SAML SSO and SCIM work together

    Enabling SCIM does not restrict SAML SSO. A user who is assigned to the Censys application and signs in through SAML before SCIM has provisioned them is automatically provisioned at login (see SAML SSO with SCIM enabled). Users who are unassigned or deactivated in your IdP are blocked from signing in and are not re-provisioned.

6. Configure SCIM Provisioning

  1. In Okta, navigate to the Provisioning tab of the Censys application and click Configure API Integration.

  2. Check Enable API integration

  3. Enter your API Token generated from the Censys platform.

  4. Click Test API Credentials to verify the connection, then click Save.

  5. In the To App settings, click Edit and enable the following features:

    • Create Users
    • Update User Attributes
    • Deactivate Users

  1. Click Save.
  2. Remember to add all users to the Censys App within Okta IDP.
📘

Note: Censys SCIM only allows for provisioning users with the default user role set by the Platform, which follows a least privilege model. The Platform does not currently support setting specific roles via SCIM.

7. Enable SSO Login

A disabled SAML configuration does not redirect users to log in via the IdP.

  1. Navigate to Account Management > Organization Settings > Security > Single Sign-On.

  2. Find the SAML configuration that you want to enable.

  3. Toggle the switch from Disabled to Enabled.

Service Provider (SP) Initiated SSO

Users can authenticate directly through the Censys platform by following these steps:

  1. Navigate to the Censys login page at https://accounts.censys.io.
  2. Select Log in with SSO.
  3. Enter your organization's email address.
  4. You will be redirected to your Okta dashboard for authentication. Upon success, you will be logged into Censys.

SAML SSO with SCIM enabled (Just-in-Time provisioning)

SAML SSO and SCIM provisioning are complementary and work together. Enabling SCIM does not block SAML SSO.

When SCIM is enabled and a user signs in through SAML SSO (IdP- or SP-initiated):

  • If the user has already been provisioned by SCIM, they are signed in normally.
  • If the user has not yet been provisioned by SCIM (for example, SCIM push has not run yet, or SCIM is configured but the user was just assigned), Censys provisions them just-in-time at login. A Censys user, organization membership, and SCIM identity link are created automatically, and the login completes. The user is then a fully SCIM-managed user and subsequent SCIM updates and deactivations apply to them normally.
  • If the user has been deprovisioned in Okta (unassigned from the app or deactivated), they are blocked from signing in. JIT provisioning never re-creates a user that the IdP has explicitly removed, so offboarding remains durable.
📘

Note

For JIT-provisioned users to converge with SCIM on the same identity, the userName value sent in the SAML assertion should match the userName sent during SCIM provisioning. Map the same Okta attribute to userName in both the SAML attribute statements and the SCIM provisioning settings (for most Okta tenants this is the Okta username). See Attributes.

Disable SCIM

To pause SCIM provisioning without losing your configuration:

  1. Go to Account Management > Security.

  2. Under SCIM Provisioning, toggle the status to Disabled.

  3. A confirmation dialog appears. Click Disable to confirm.

SCIM provisioning (including just-in-time provisioning at login) is paused. SAML SSO continues to work for users who already have access. Your bearer token is preserved and resumes working when you re-enable SCIM.

Attributes and mappings

SCIM attributes

The following attributes are synchronized by Okta during SCIM provisioning.

Censys attributeSCIM attributeRequiredMutability
User nameuserNameYesMutable
Emailemails[primary eq true].valueYesImmutable after provisioning
First namename.givenNameYesMutable
Last namename.familyNameYesMutable
Active statusactiveNoMutable

userName is required by the SCIM specification (RFC 7643) and is the primary identifier Censys uses to reconcile a user. Censys rejects any SCIM create or replace request that omits it. In Okta this value comes from the Application username format under Credentials Details; set it to Okta username so that the same value is sent on every provisioning and login event. A primary email, name.givenName, and name.familyName are also required.

SAML attributes

Censys expects the following attributes in the SAML assertion. email, given_name, and last_name are required for login. userName is optional but recommended when SCIM is enabled so that just-in-time provisioning links the user to the same identity SCIM provisions.

Censys claimAccepted SAML attribute names (case insensitive)
emailemail
given namegiven_name, givenname, first_name, firstname
last namelast_name, lastname, sur_name, surname, sn
user nameusername, user_name, preferred_username, upn, userPrincipalName

Import Users

Censys supports importing existing users from the Censys Platform into Okta. Use this to reconcile users that were created directly in Censys (or provisioned just-in-time at SAML login) with their Okta profiles, and to confirm the current provisioning state.

  1. In Okta, navigate to the Import tab of the Censys application.
  2. Click Import Now to run an on-demand import, or configure a scheduled import (Provisioning > To Okta) to run automatically.
  3. Okta retrieves the list of users from Censys and matches them to existing Okta users by username. Review the results and confirm any users to be linked to (or created in) Okta.
📘

Note: only active users are imported

The Censys SCIM /Users endpoint returns only active, SCIM-managed users. Users who have been deactivated or unassigned in your IdP are intentionally excluded from import results, so that re-assignment is handled as a fresh push (create) rather than an update. As a result, deactivated users do not appear in import results. Censys supports user import only; group import is not available.